24 Replies

We use McAfee endpoint encryption on our laptop hard drives. It is very secure and allows for an admin user id and password along with a user id and passsword so the drive can be accessed if the user forgets thier ID. After each failed attempt to logon the time it take before you can try again increases. it can also be set to wipe the drive after X number of failed attmpts but we don't use that.

On my person Dell I use the BIOS encryption which isn't as good, but good enoug for what I need it for. Also don't forget physical security. We are now giving out laptop cables so users can physically lock the laptop to thier desk.

We haven't committed yet, but are testing Sophos' Safeguard Easy product right now and it's looking promising. It supports AD SSO, so it saves an extra password for users. We're also considering TrueCrypt, but no decision yet.

Works well, free, and easy to reset someone's password if they forget it (we have an encrypted list of everyone's passwords so we can get into them all).

We only have it on laptops here, and the only problem we've had is people occasionally forgetting the passwords (but at a much lower rate than forgetting their network passwords).

We also use TrueCrypt and our experience with it is exactly the same as Olivia3009's. We store the PWs in KeePass and surprisingly don't have to reset TrueCrypt PWs nearly as often as account PWs. We use it mostly on portable storage.

Works well, free, and easy to reset someone's password if they forget it (we have an encrypted list of everyone's passwords so we can get into them all).

We only have it on laptops here, and the only problem we've had is people occasionally forgetting the passwords (but at a much lower rate than forgetting their network passwords).

We also use TrueCrypt and our experience with it is exactly the same as Olivia3009's. We store the PWs in KeePass and surprisingly don't have to reset TrueCrypt PWs nearly as often as account PWs. We use it mostly on portable storage.

Stored on virtual network connection that is only available to 2 users (both IT Support) and only on 2 specific computers in the IT Support office (which is behind a locked door).

1st Post

The problem with TrueCrypt is the lack of centralized management. I have been looking for a similar product, and come up with two possibilities. The first is CryptZone, though i am slightly hesitant about the lack of knowledge available for the software, and the second is CheckPoint.

I have evaluated CryptZone, and been fairly happy with the software, but there are some usabality issues.

I will be evaluating CheckPoint's solution as soon as they get back in touch with me.

The problem with TrueCrypt is the lack of centralized management. I have been looking for a similar product, and come up with two possibilities. The first is CryptZone, though i am slightly hesitant about the lack of knowledge available for the software, and the second is CheckPoint.

I have evaluated CryptZone, and been fairly happy with the software, but there are some usabality issues.

I will be evaluating CheckPoint's solution as soon as they get back in touch with me.

1st Post

HI we are looking for the best way to go about encrypting everyone's USB stick and Hard drives on their PC's for safety reasons.

I am messing around with Truecrypt at the moment but if there are alternate ways to go about it please inform me.

Full Disclosure: I work at Symantec by way of the PGP acquisition.

Hi Christopher2112,
There isn’t really a simple answer of what product or vendor you should go with for your situation. It truly depends on what the end goal is for your encryption needs.

Let me ask you this, what is the goal of encrypting your users’ USB sticks and PCs? Is this being done to protect sensitive data, or is there a compliance reason? If the answer is to just protect sensitive data, then using something like Truecrypt might work. It’s free, and it does what it’s supposed to do, encrypt and protect the data. However, if you are encrypting because of laws or regulations, then Truecrypt might not be the answer for you. Due to the various laws and regulations, you will need to “prove to auditors” that your USB stick or PC was encrypted and secured prior to it being stolen/missing. If this is the situation, then you would need another solution that can provide this information.

To take the previous point even further, in an enterprise situation, you may also need access to your users’ encrypted data. With Truecrypt, like many have mentioned, “admin passwords” are created and “secured” by storing them elsewhere. This is not a good security practice and most likely would not appease the auditors. How secure is this master list? Can you audit who has access to it? How do you insure that a rouge admin does not access your CEO’s PC? For the enterprise, you would need the ability to access the encrypted data with a random and secure code. McAfee does this, as does PGP from Symantec. I can’t speak deeply about McAfee’s solution, but I do know that the PGP solution provides a one-time use token to access encrypted PCs. This one-time use token is also audited, so when it was accessed, and by whom is all logged. Once the token is used, the token will be reset and can’t be used again.

Some have mentioned BitLocker since it’s there and free. I can’t argue with free. But is “free” really free? BitLocker requires very customized scripting for implementation. Unless your IT staff has this expertise, then you would need to hire outside consultants to assist in the BitLocker deployment. BitLocker also requires the use of TPM chips and there are some countries where the TPM chip is banned.

I don’t want to go on and on about this (but would be happy to if the audience wants to know more), but here are some questions that need to be asked before making a decision.
-What is the driving force behind wanting to encrypt USB and PCs?
-Do we need to be able to prove encryption for compliance reasons?
-Do we need to enforce encryption/security policies? (eg. Keep a user from decrypting the PC once encrypted)
-Do we need central management?
-Do we need SSO (single sign on)? (eg. Once less password to remember)
-Do we have a need to access encrypted data if the user won’t give us the passphrase? (eg. E-discovery request from legal)
-Do we need to support and encrypt Macs and Linux platforms as well?
-We are only encrypting PCs and USB sticks today, but will we need other forms of encryption later (eg email, other removable media, file server, etc)?

These are just some of the basic questions off the top of my head. Encryption is pretty straightforward. The big issue with encryption is the management of it today and in the long term. Remember to look at the big picture and ask yourself “what if” questions while evaluating different products/solutions.

What sort of performance hit are you willing to accept, what level of encryption do you need & what sort of hardware do you have?

I've never worked with Truecrypt so I can't offer much on that. If you're in a position to shift your licenses from Pro to Enterprise, Bitlocker is good. It has central management & a high level of security. Downside is you need to reinstall if the pc was not setup with it in mind (it needs a 1.5GB boot partition).

We use Truecrypt...it does the job but you need the client on every computer.

We use Truecrypt on Flash Drives and set it up with the application and then set the Truecrypt drive to take up all the remaining space. That way you can use it on any machine without installing Truecrypt and still have a protected drive.

We have encrypted one laptop with Truecrypt and everything seems to work well on it.

We have also looked into Safeguard which can do what you request as well, but it is somewhat pricey.

I know but I wrongfully assumed you'd have those running at your company :).

I wonder why you would make this assumption? Most companies buy their computers with a pre-installed copy of Windows 7 Pro. Unless there is a need for some feature in Enterprise or Ultimate why would a company spend the money on a Software Assurance license or the Ultimate licese in the first place?

Of course, encryption is a good reason to spend that money, but if you've had those machines for more than 90 days you can no longer purchase SA for it and instead you'd be force to buy a NEW Pro license with SA (to receive Enterprise rights) or purchase and upgrade to Ultimate.

0

This discussion has been inactive for over a year.

You may get a better answer to your question by starting a new discussion.